In my routers, I dual boot. I copied the firmware into an image I store on MMC, which is what gets patched and modified. The only change in the original root is a startup script that flashes an LED, waits a few seconds for a keypress, and if none, loads the mmc driver, loopmounts the image, and does a pivotroot to it. If the button is pressed when LED flash, it falls through and does nothing, letting the stock firmware run.

We could do something similar here.

Because of the pivotroot, ONLY the image code is running, unlike chroot where only a process switches over. We can modify our copy of the OS all we want, and boot the original code by pressing a button when the LED flashes during boot. We can even intercept an update, and let the update analyze the original unmodified code, like a viral rootkit...

The kindle needs a rootkit!

Of course, having an image that is a copy of everything would use space, and the newer kindles have smaller storage. In my images, I have symlinks to the original stuff that was pivoted out to a mount point. I only replace busybox stuff when I need extra functionality. My image copy gets duplicates replaced by symlinks, making it a lot smaller.

A more modern way to do this with less manual intervention would be a COW fs that overlays the original, similar to how OpenWrt works.

If we pivotroot, it would be nice to detect a "phone home" app or backdoor intrusion by amazon, and chroot that process back to the original mountpoints.

The reason I brought this up is that it could simplify uninstalls and updates, and would allow what would otherwise be very intrusive mods.

Alternatively, bind mounts could replace pivotroot in most cases, but would still need a startup script to do the mounts.

As a minimum though, I would like to see a dual boot based on pressing a button at just the right time, signalled by an LED flash, or some onscreen indicator, or a brief non-annoying "jailbreak" sound during bootup (signalling when to press a button to skip jailbreak boot). For that matter, you could even write a boot menu to the framebuffer and wait a few seconds for a keypress before the default selection boots.

We could even select an alternate GUI or desktop from the boot menu (even a stripped down Windows inside QEMU, just because we can).

So after looking through the Kindle touch's java operating system, I see that amazon has made our lives easy. Everything seems to be plugin-able. You can write handlers for more book format (ePub?) and you can write plugins for readers (like x-ray), and you can also map kindlet views to various menus and stuff. And with the java code no obfuscated, it's just a matter of seeing how amazon implements a feature and using the same method to implement your own features.

So after looking through the Kindle touch's java operating system, I see that amazon has made our lives easy. Everything seems to be plugin-able. You can write handlers for more book format (ePub?) and you can write plugins for readers (like x-ray), and you can also map kindlet views to various menus and stuff. And with the java code no obfuscated, it's just a matter of seeing how amazon implements a feature and using the same method to implement your own features.

Hmm, so is that also the case for the Kindle4 notouch ? I remember you said a jailbreak for the touch will also work on the Kindle 4, are you now hinting that all Touch-Mods will also work on the Kindle4 ?

If you write a hack the plugs into the Kindle Touch Java framework, it will not work on any other kindles. Old hacks, ones written in C code or whatever (usbnet, ss hack, etc) would still work as they usually do.

I just realized that nobody ever posted detailed opening directions for the touch. Most just go "pry the bottom half first and remove the rest of the covers. It's really easy to damage the back, so here's some detailed instructions. I will define the "top" as where the kindle text is and the "bottom" as where the FCC text is.

The case is held together by 4 hooks on the top left and top right (2 left and 2 right) and 4 tabs tabs on the bottom left and right (2 and 2). There are also 6 very tiny tabs on the bottom and 4 on the top, but you should never start from the top because of the 4 hooks. Begin by taking a very thin piece of plastic (or anything thin and hard, but not a knife because you may damage something). Insert it into the bottom between the case and the device. Carefully pry until the bottom is loose. Now move your thin plastic to the right and left until you feel half the case loose. Do NOT attempt to pry the entire case off. As I've mentioned earlier, there are 4 hooks. With half the case loose, take the thin plastic and insert it into the top of the case between it and the device. Do NOT pry as you did on the bottom. Instead, push down (not in) and you will see the case slide down. You may have to slide the right half and left half of the case separately. Once it slides down enough (you can't push it anymore), you can lift the case off easily.

To put it back on, you need to slide the top half of the case in and press the bottom half down. It's self explainatory if you get it open.